Defining Your Service Accounts - Honeywell DOC4000 - 7.3 - Administration & Configuration - Intergraph

DOC4000 Administration Guide

Language
English
Product
Honeywell DOC4000
Subproduct
Cyber
Search by Category
Administration & Configuration
PAS Version
7.3

DOC4000 uses several services to provide various features. The Service Administration link in the Admin Utility displays the Configure the Services window. This window allows you to start and stop each service. You can also specify the account user name and password for each service to use. These services should run under valid domain accounts, and the permissions required for these accounts depend on whether you chose to use Windows authentication mode or SQL Server mode to access the DOC4000 database:

IntegrityDataCollector2

Provides data import and management capabilities. This service must run on each DOC4000 data collector or server where asset data is imported. The account you specify for this service must have access to the data to be imported into DOC4000. This data can reside in files, folders, or databases, and can be located on computers other than the DOC4000 server or data collector. Because this service can run only as a single account, the various data locations must be configured to allow read access to this account.

By default, this service runs under the SYSTEM account. If the DOC4000 data files, the DOC4000 database, and the DOC4000 server are all on the same server, and the service is running under Local System, you do not need to specify an account for this service on this window.

If the DOC4000 database is on a separate server and you chose Windows authentication mode, this service account must have the db_owner role on each primary and secondary database. When using multiple databases, if a secondary database is on a separate server from the primary database, this service account must also have the setupadmin role on the primary database to create a database link.

pasIntegrityDB

Provides data management for multiple database deployments. This service is not needed for single database deployments. When using multiple databases, this service must run on the DOC4000 server for the primary database. The account you specify for this service must be a valid domain account. In addition, you need to specify this account in the InstallPath\DataCollector\*.exe.config files on the DOC4000 server for the primary database.

PAS WebFileService

Provides features for the DOC4000 web interface, such as email notifications and reporting capabilities. This service must run on the DOC4000 server that provides the DOC4000 web interface. Depending on your site security, the account you specify for this service could be a local user account or a domain user account and have read and write permissions to the folder where you installed DOC4000 and its subfolders. If you have specified a local user account and experience issues, specify a domain user account. For email notifications, this service uses the settings specified through Maintenance > Configure Email Settings in the Admin Utility.

pasWindowsEventLog

Provides Windows event log data processing and management. This service must run on each DOC4000 data collector or server where Windows event data is imported. The account you specify for this service must have read permissions to the folder where you installed DOC4000. This account must also have read and write permissions to the folder and subfolders where event log data to import is stored. DOC4000 stores Windows event log data in a separate database named PASWindowsEventLogs.

If you collect Windows event log data, the account used to connect to the database (SQL login for SQL Server mode or the pasWindowsEventLog service account for Windows authentication mode) must have the following roles:

  • dbcreator and serveradmin server roles

  • If you chose Windows authentication mode, the pasWindowsEventLog service account must also have the db_owner role for the SQL Server where the DOC4000 database is stored and the db_datareader role for the DOC4000 database.

If you collect Windows event log data and if you chose Windows authentication mode, the administrator who uses the Admin Utility to create the Windows event log collection database must have at least the dbcreator role on the SQL Server where the DOC4000 database is stored.

PAS Integrity Scheduler

Provides features for the DOC4000 web interface, such as email notifications and scheduled tasks. This service is required if you want to apply normalization rules as you modify or add them and to perform risk analysis activities. The first time you run the service, DOC4000 creates a new database (PASScheduler) on the DOC4000 data collector server.

Ensure that the PAS Integrity Scheduler service is running on the DOC4000 web server (the IIS server hosting the DOC4000 web interface). If the connection to the DOC4000 database is using Windows authentication mode, the PAS Integrity Scheduler service needs to run as a domain account that has db_creator on the server and datareader on the DOC4000 database. If the connection to the DOC4000 database is using SQL Server mode for login authentication, the SQL Server login account used for the web interface needs the db_creator server role on the SQL Server instance.

PAS Integrity Integration

Provides features for the DOC4000 web interface, such as integrations with third-party applications. This service must run on the DOC4000 server that provides the DOC4000 web interface.

Review the following additional considerations for the account you specify for each service to use and related Windows accounts:

  • If the DOC4000 database uses Windows authentication, these services can run as Local System only if the DOC4000 data files, the DOC4000 database, and the DOC4000 server are all on the same server.

  • If the DOC4000 database uses Windows authentication, some of these services need to use accounts that have permissions to access the SQL Server database.

  • For each account you specify, if the password for that account is changed, you must also change the password through the Service Administration link in the Admin Utility or through the service configuration itself.

  • By default, SQL Server uses the NETWORK SERVICE Windows account for many functions. Set the NT AUTHORITY/NETWORK SERVICE Windows account to have permissions to the DOC4000 database.

  • Maintenance jobs require the SQL Server agent service to be active and running under a Windows account that has permissions to the DOC4000 database. Set the SQL Server agent service to run under the NT AUTHORITY/NETWORK SERVICE Windows account and to start automatically.

To specify the service accounts:

  1. In the Admin Utility, click the Service Administration link.

  2. In the Service name field, select the service to configure.

  3. Type the user name and password for an account that has the required permissions for the service. Click Get Accounts to view all accounts on the server.

  4. To preface the account name with the domain name and backslash, check the Add Domain to Username check box.

  5. Click Save.